eSentire's Threat Response Unit (TRU) compiles the following weekly intelligence overview, providing cybersecurity leaders with expert analysis and insights on the most important events of the past week along with important security tips.
Recent Threat Intelligence Advisories
Noteworthy News
Continued Exploitation of Ivanti Vulnerabilities
Bottom Line: In light of the continued exploitation of multiple vulnerabilities impacting Ivanti Connect Secure VPN and Policy Secure devices, CISA and other Five Eyes Intelligence agencies have prompted organizations to strongly consider whether to continue using Ivanti products.
According to a recent report from CISA, in coordination with the FBI, MS-ISAC, ASD’s ACSC, NCSC-UK, CCCS, NCSC-NZ, and CERT-NZ, intelligence agencies continue to observe the widespread exploitation of multiple Ivanti vulnerabilities. The report provides an overview and details of exploitation on three known Ivanti vulnerabilities: CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893. CVE-2023-46805 and CVE-2024-21887 were disclosed on January 10th, but their exploitation in the wild was traced back to early December 2023. CVE-2024-21893 was disclosed on January 31st after exploitation had been detected. These vulnerabilities can be chained together to enable threat actors to “bypass authentication, craft malicious requests, and execute arbitrary commands with elevated privileges”.
CISA has observed exploitation leading to the deployment of multiple webshells including BUSHWALK, LIGHTWIRE, and CHAINLINE; successful deployment enables persistent access to victim devices. In a report released this week, Mandiant identified exploitation of these vulnerabilities leading to the deployment of multiple novel malware types tracked under the names LITTLELAMB.WOOLTEA, PITSTOP, PITDOG, PITJET, and PITHOOK. Initial exploitation of Ivanti vulnerabilities was limited to a single threat actor group, but is now widespread, with the vulnerabilities being targeted by both financially motivated threat actors and state-sponsored APT groups.
The eSentire Threat Intelligence team continues to perform threat hunts based on available Indicators of Compromise (IoCs). eSentire Managed Vulnerability Service (MVS) has plugins in place to identify all recently disclosed Ivanti vulnerabilities. Additionally, eSentire MDR for Network has rules in place to identify exploitation attempts for CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893. eSentire has released threat advisories for all of the mentioned vulnerabilities [1] [2].
eSentire Threat Intelligence Analysis:
As exploitation has been ongoing since at least December 2023, it is critical that all impacted Ivanti Connect Secure VPN and Policy Secure devices are up-to-date on security patches. Devices that have remained unpatched should be reviewed for signs of compromise. In addition to patching, impacted devices should be reset to the factory default configuration. Ivanti has released both internal and external Integrity Checker Tools (ICT) which are meant to assist organizations in identifying exploitation of these vulnerabilities. The CISA joint report confirms that threat actors can bypass the ICT, leading to false negative results. The ability for threat actors to evade detection of Ivanti’s ICT, may cause organizations to have a false sense of security. While it is still recommended to run the ICT, negative results should not be viewed as confirmation that no malicious activity occurred.
While the reporting agencies have not observed threat actors persisting on devices after remediation actions, the report urges “organizations to consider the significant risk of adversary access to and persistence on, Ivanti Connect Secure and Ivanti Policy Secure gateways when determining whether to continue operating these devices in an enterprise environment”. This statement on potentially removing devices highlights the significant risk that these vulnerabilities pose to organizations. US government agencies were given until January 22nd to apply patches for CVE-2023-46805 and CVE-2024-21887, and until February 2nd to update for CVE-2024-21893.
LockBit Ransomware Returns
Bottom Line: Despite recent setbacks due to a law-enforcement disruption, the LockBit Ransomware-as-a-Service (RaaS) group has resumed operations with confirmed new attacks. The group’s persistent operations underscores the ongoing battle between cybercriminals and global cybersecurity forces.
On February 20th, 2024, a law enforcement task force operating under the name of Operation Cronos announced the disruption of the LockBit ransomware gang’s operations. This task force was comprised of law enforcement agencies from Australia, Canada, Finland, France, Germany, Japan, Netherlands, New Zealand, Poland, Sweden, Switzerland, Ukraine, the United Kingdom, and the United States. This operation resulted in two arrests being made, LockBit’s servers in multiple countries being taken down, 200 cryptocurrency wallets being frozen, 14,000 accounts related to exfiltration or infrastructure being identified, and the remaining infrastructure being seized.
Only days after Operation Cronos, on February 24th the LockBit ransomware gang provided details of the breach and a statement that they are returning to business with reinforced infrastructure. In LockBit’s announcement to return, they stated the breach occurred due to “personal negligence and irresponsibility”, outlining only the PHP servers were attacked due to a lack of patching. The group has stated they patched the servers now and are offering a reward to anyone who can find a vulnerability in the latest version. LockBit has also stated they will be targeting the .gov sector more to attempt to force law enforcement to show if they could perform another takedown.
On February 27th, the LockBit ransomware gang resumed its operations, deploying updated encryptors and launching a new data leak site. The first new LockBit attacks were reported by Zscaler which observed ransomware attacks with updated TOR URLs for their new infrastructure. Additionally, LockBit made updates to their systems to improve their operational security. In a statement released by LockBit they said “Due to the separation of the panel and greater decentralization, the absence of trial decrypts in automatic mode, maximum protection of decryptors for each company, the chance of hacking will be significantly reduced. ”
eSentire MDR for Network and Endpoint have a variety of detections in place to identify LockBit ransomware and precursor actions.
eSentire Threat Intelligence Analysis:
The LockBit ransomware group's swift recovery and strategic adjustments post-"Operation Cronos" highlight the persistent and adaptive nature of cybercriminal organizations. LockBit's focus on enhancing its infrastructure's security and decentralizing its operations reflects a tactical response to law enforcement actions, aiming to sustain its criminal activities and mitigate future disruptions. Despite the group’s rapid return to the threat landscape, the disruption may have a longer-term impact on the group. NCSC has specifically stated that information on affiliate members was taken during Operation Cronos. Affiliate members may choose to avoid working with LockBit in the future, due to a perceived increased risk.
The recent ransomware incidents highlight the necessity for organizations to adopt a multi-layered security approach, emphasizing regular updates, vulnerability management, and the implementation of advanced detection and response systems. LockBit's ability to quickly adapt and resume operations highlights the need for a proactive and comprehensive cybersecurity posture to protect against sophisticated ransomware threats.
In the 2024/02/23 Weekly Threat Briefing, eSentire’s Threat Intelligence team assessed that ‘it is highly likely that the ransomware group will reemerge and continue its operations.’
LockBit's resurgence and strategic enhancements post-law enforcement disruption underscores the dynamic nature of the cyber threat landscape. Organizations, particularly those within or associated with government sectors, must prioritize robust cybersecurity measures, and remain prepared for the evolving tactics of ransomware gangs like LockBit. The ongoing battle against ransomware requires not only technological solutions but also collaborative efforts among global law enforcement and cybersecurity communities to counter these threats effectively.
Russian APT Activity
Bottom Line: Russian state-sponsored adversaries are exploiting poorly secured IoT devices and cloud instances to enable future attacks. Recent releases from Five Eyes intelligence agencies are meant to raise awareness for private individuals and companies about these threats.
This week, Five Eyes Intelligence agencies released two separate reports on recent Russian state-sponsored APT activity. Russian APT groups remain highly active, targeting a variety of industries across multiple countries. Observed activity is often focused on gaining and maintaining long-term access for purposes including espionage.
On February 26th, CISA, in partnership with the UK National Cyber Security Centre (NCSC) and other U.S. and international partners released a joint advisory on the evolving Tactics, Techniques, and Procedures (TTPs) employed by APT29 (aka Midnight Blizzard, the Dukes, or Cozy Bear); this group is associated with Russia’s Foreign Intelligence Service (SVR). APT29 has a history of targeting a wide range of sectors, including government, think tanks, healthcare, energy, aviation, education, law enforcement, and military organizations. APT29 has shifted their focus to targeting organizations’ cloud services. According to the joint advisory, the group uses a wide variety of tactics to achieve initial access into cloud services, including brute force attacks, password spraying, exploiting cloud tokens, bypassing Multi-Factor Authentication (MFA), and the use of residential proxies.
On February 27th, the Federal Bureau of Investigation (FBI), National Security Agency (NSA), US Cyber Command, and international partners issued a joint Cybersecurity Advisory (CSA) warning about Russian state-sponsored cyber actors’ use of compromised Ubiquiti Edge routers to conduct malicious cyber operations globally. The threat actor group tracked as APT28 (aka Fancy Bear, Forest Blizzard, or Strontium) was observed targeting routers to enable future attacks; malicious actions included harvesting credentials, collecting NTLMv2 digests, proxying network traffic, and hosting spear-phishing landing pages and custom tools. APT28 has a history of targeting industries including aerospace, defense, education, energy, and utilities; this campaign is not believed to have targeted a specific industry.
The eSentire Threat Intelligence team continues to track activity associated with known Russian state-sponsored APT groups including APT28 and APT29. The eSentire product suite includes detections for a wide variety of known APT tools and techniques.
eSentire Threat Intelligence Analysis:
Russian APT activities underscore a significant and evolving threat to global cybersecurity. Their ability to compromise critical network infrastructure and conduct operations undetected highlights the need for heightened vigilance, robust cybersecurity defenses, and international cooperation to mitigate these threats.
The continued adaptation of Russian APT groups to exploit both cloud infrastructure and network devices presents a complex challenge for cybersecurity. Their methods emphasize the importance of comprehensive security measures, including the secure configuration of devices, ongoing monitoring, and the prompt application of security updates and patches.
The recent advisories from CISA, alongside reports on both Chinese and Russian APT activity highlight a concerted effort by state-sponsored actors to leverage router vulnerabilities for strategic gains. Similar to APT28's exploitation of Ubiquiti EdgeRouters, the Chinese APT Volt Typhoon exploited Cisco and NETGEAR end-of-life (EoL) small office/home office (SOHO) routers. Routers are pivotal for network security, directing internal and external traffic and serving as an important line of defense against cyber threats. By compromising routers, APT groups gain the ability to monitor, intercept, and manipulate data passing through these devices. This capability is crucial for intelligence gathering, facilitating further network infiltration, and, potentially, disrupting critical communications during geopolitical tensions or conflicts.
The proactive measures taken by government agencies to remove MooBot and KV Botnet malware from infected devices represent a significant stride in the ongoing battle against global cyber threats. This operation underscores the complexities and challenges of countering botnet-driven cyber activities orchestrated by Advanced Persistent Threat (APT) groups. Botnets like MooBot and KV, which compromise a vast network of infected devices, are utilized by APT groups to conduct Distributed Denial-of-Service (DDoS) attacks, espionage, and other malicious activities. By leveraging infected routers and IoT devices, attackers gain the ability to launch large-scale cyber operations with relative anonymity and resilience. The government-led initiative to identify and neutralize these threats directly disrupts the operational capabilities of APT groups, diminishing their reach and effectiveness.
Advanced Persistent Threat (APT) groups are increasingly targeting routers and IoT devices, capitalizing on the lower likelihood of these devices running comprehensive security software, such as endpoint protection or log monitoring solutions. This focus is driven by the objective of achieving long-term, undetected persistent access within targeted networks, which offers significant strategic advantages for conducting espionage, data exfiltration, and sophisticated cyber-attacks.
The persistence and sophistication of APT activities highlight an urgent need for organizations to reassess and strengthen their cybersecurity posture. Adhering to recommended mitigations, sharing threat intelligence, and collaborating on security efforts are crucial steps in defending against these persistent threats.
About the threat briefings:
The threat briefing is a weekly intelligence overview for non-technical users. The Threat Intelligence team at eSentire investigates, analyzes, and organizes the most important events of the past week along with important security tips and redistributes the findings for quick reading. The main goal of this briefing is to improve the overall awareness of readers regarding cyber security.
